Web servers from the US are being used by hackers to distribute banking trojans, but also to steal information and spread ransomware.
This is according to cybersecurity company Bromium, which published a report after analysing public data for almost a year (between May 2018 and March 2019).
It claims that malicious threats of different kinds were coming from web servers registered under the name PONYNET, hosted on BuyVM data centres located in Las Vegas.
BuyVM is under the ownership of FranTech solutions, for which Bromium claims has ‘links to far-right websites’.
The company traced almost a dozen different malware types to the servers: Dridex, Gootkit, IcedID, Nymaim, Trickbot, Fareit, Neutrino, AZORult, Gandcrab and Hermes.
The malicious emails and infected files targeting US businesses were mostly fake CVs (42 per cent) and fake unpaid invoices (21 per cent). Bromium also says same servers have been used on multiple occasions to run different campaigns, which leads it to believe that the servers are part of the Necurs botnet.
Bromium’s spokesperson said the researchers believe there are multiple threat actors, one for developing and operating the malware and the other for executing phishing campaigns. “It’s the malware equivalent of Amazon fulfilment and suggests a very close relationship, making it possible for malware to be developed and delivered to inboxes in a matter of hours.”
The spokesperson says this type of work allows non-US-based hackers to avoid geoblocks on content from restricted countries (think Iran or North Korea).
“These findings demonstrate the enduring effectiveness of phishing to spread malware and infect enterprise systems,” the spokesperson continues.
“Phishing emails have become harder to spot, and hackers know they only need to get it right once. To defend against these threats, organizations must adopt layered cybersecurity defences that utilize application isolation to contain malicious threats, while providing rich-threat telemetry about the hacker’s intent. This allows employees to get on with their jobs without worrying about being the source of a breach, and leaves cybercriminals unable to deliver the goods.”
Image source: Shutterstock/wk1003mike